BY PATRICK GILLESPIE
In early December, news outlets reported that Iran-linked hackers broke into the networks of several U.S. water systems, prompting concerns over the country’s ability to withstand future attacks and unclear what impact substantial attacks could have on day-to-day life in America.
The U.S. Cybersecurity & Infrastructure Security Agency, known as CISA, in mid-December reported that the Iranian Government Islamic Revolutionary Guard Corps, a U.S.-designated foreign terrorist organization, has been targeting and compromising Israeli-made Unitronics Vision Series programmable logic controllers. These programmable logic controllers, CISA states, are commonly used in water and wastewater systems, as well as others.
The IRGC-affiliated cyber actors left a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target,” CISA stated. “CyberAv3gers” was the persona used by the organization during the attacks, according to CISA. CISA, the Federal Bureau of Investigation, the National Security Agency, the Environmental Protection Agency and the Israel National Cyber Directorate put out the advisory to bring awareness to the situation.
In an interview with CBS News, Deputy National Security Adviser Anne Neuberger said the attacks were “unsophisticated” and had a “minimal impact” on operations, but offered a warning that the attacks won’t be going away.
It’s unclear if any Florida-based water utility companies were targeted by the group. CNN reported that “less than 10” utilities were affected. Municipal Water Authority of Aliquippa in Pennsylvania was identified as one of the victims.
So, are Florida’s utilities prepared?
Marjorie Craig, Chair of the Florida Section of the American Water Works Association, said Florida’s water utilities have made cybersecurity planning a priority in recent years, and utilities vary in their reliance on operational technologies. The Association in 2021 created a separate cybersecurity committee, the members of which share best practices, meet monthly to share relevant data, disseminate information about potential funding sources, and bring in experts to discuss legislation and trends on the topic.
State and federal funding sources have been available to utilities in recent years, though Craig noted that for smaller utility systems, additional grant opportunities would be beneficial. She noted that free training is available through CyberFlorida, CISA, and other organizations.
America’s Water Infrastructure Act, passed in 2018, requires water systems to conduct comprehensive risk and resilience assessments and develop emergency response plans every five years. House Bill 7055 in 2022 required governments to establish cybersecurity guidelines, required training curriculum, reporting requirements, and other measures.
“Every member of the utility team can play a crucial role in mitigating the risk of cyberattacks by adopting a proactive stance,” she said. “This includes remaining vigilant when handling emails, regularly updating passwords, and collaborating closely with both cybersecurity and IT/OT professionals.”
Craig pointed out that a successful cybersecurity attack could result in data breaches that expose sensitive customer data and physically damage utility systems, affecting healthcare, businesses, firefighting, and other key operations. On top of potential loss of life or property, this could result in financial damage
“You can see that the consequences of a utility compromise are multi-faceted and encompass data security, public safety, and economic stability,” Craig said. “This underscores the imperative nature of robust cybersecurity measures to safeguard both utility operations and the well-being of the communities they serve.”
